Secure endpoint

Options
Scalewreck
Scalewreck Member
in ? Security

I'm creating a website using xano, I found out that users can inspect the website and find the endpoint in my JavaScript files. Is there a way I can make the endpoint only run if it's being ran on a specific domain?

Tagged:
· Share on Twitter

Comments

  • Ray Deck
    Ray Deck Trusted Xano Expert ✭✭✭
    Options

    This is a common situation that a lot of people don't notice - so great that you're asking! Yes this can be a risk if you have sensitive endpoints that lack authentication or regulation. If you mostly use authenticated endpoints you're much better off: they basically refuse traffic if they haven't already logged in.

    Higher-work approaches include:

    1. add a request header that is specific to your web host
    2. generate a CSRF token to regulate requests
    3. Checking for repeat requests from a given domain to block attacks

    Xano can work with either of the above - and others - with a few lines of directives in the function stack.

    We discuss issues of security frequently as part of our focus on the hardest 5% during our daily State Change Pro office hours.

    · Share on Twitter
  • Chris Coleman
    Chris Coleman Administrator

    ADMIN
    Options

    Here's a video we released on our YouTube channel recently going over some of the methods you can use to secure your Xano APIs.

    https://www.youtube.com/watch?v=yv9yGAZKlRs

    · Share on Twitter

Categories